Splunk Search

How can I limit the results to only users that have more than 3 EventCode=4625?

AbelCruz
Path Finder

How can I limit the results to only users that have more than 3 EventCode=4625? I am trying to show only users that have more than 3 login failures within 5 minutes

EventCode=4625 user="*" | dedup user | timechart count

Tags (1)
0 Karma
1 Solution

davpx
Communicator
EventCode=4625 user="*" | bucket _time span=5m | stats count by user _time | where count>3

View solution in original post

0 Karma

mayurr98
Super Champion

Hey I think you are missing out where function of timechart command.

You can try something like this

EventCode=4625 user="*" 
| timechart span=5m count by user WHERE count > 3

for more info refer this link:
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Timechart#Where_clause_Examples

let me know if this helps!

0 Karma

adonio
Ultra Champion

hello there,

looking at those windows events, consider filtering out accounts that ends with "$"
also, the stats command in bucket will work great if the 3 events falls exactly in the 5 minutes bucket. however if for example i have 2 failed logins on 14:44:57 and 14:44:58 and then another 2 failed logins on 14:45:02 and 14:45:04 the | where clause will not apply.
i think | streamstats time_window=5m is a better option.
try the following search, and add your | where count>3 clause after you see some results to test (you can add | timechart max(count) with the right span, at the end if you would like to visualize the data.
examples for search:

index=wineventlog source="WinEventLog:Security" EventCode=4625 Account_Name=* action=failure
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) 
| eval User=lower(User) 
| search NOT User=*$ 
| bucket _time span=5m 
| streamstats time_window=5m count by user _time 
| timechart span=5m max(count) as failed_login by user

OR

index=wineventlog source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=* action=success 
| eval User=if(mvcount(Account_Name)>1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) 
| eval User=lower(User) 
| search NOT User=*$ 
| bucket _time span=5m 
| streamstats time_window=5m count by user _time 
| table _time user count

hope it helps

0 Karma

davpx
Communicator
EventCode=4625 user="*" | bucket _time span=5m | stats count by user _time | where count>3
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...